ECJ pronounces on Swedish data ‘abuse’

When a Swedish churchgoer put information on her web pages about fellow parishioners preparing for confirmation, little did she realise she would end up in the European Court of Justice. For the verdict and the lessons for marketers.

Topic: Data protection

Who: Mrs Bodil Lindqvist

Where: The European Court of Justice, Luxembourg

When: November 2003

What happened:

The European Court of Justice has issued its first ruling on the EU Data Protection Directive 95/46/EC, which underpins all European Union Data Protection legislation.

Mrs Lindqvist worked for a church in Alseda, Sweden where she provided information on her internet pages for parishioners preparing for confirmation. In these pages Mrs Lindqvist supplied details about herself and 18 of her colleagues, which included their full names or first names. She is said to have described "in a mildly humorous manner, the jobs held by her colleagues and their hobbies." Other information was also included regarding family circumstances and telephone numbers. In one case, Mrs Lindqvist referred to a colleague who had injured her foot and, due to medical grounds, was working part time. Mrs Lindqvist had not obtained her colleagues' consent for publishing this information, nor had she informed the Swedish Data Protection Authority that she was processing others' personal data, a legal obligation as it is here in the UK.

When colleagues discovered the website entries, they complained to the Datainspektionen (the Swedish Information Commission) and although Mrs Lindqvist removed the information from the pages promptly, she was still prosecuted for breaching Swedish data protection law.

She was charged specifically with processing personal data by automatic means without giving prior notice to the Datainspektionen, processing sensitive personal data without authorisation and transferring processed personal data to third countries without authorisation.

Having considered the arguments, the European Court of Justice reached its determinations on these points, none of which were particularly surprising.

On the failure to notify the Swedish Data Protection Authority, the court found there to be no exception for the sort of processing Mrs Lindqvist was doing, and confirmed that there had been an offence on this count. On the "sensitive personal data" issue, the court again confirmed that the reference to the colleague's injured foot was processing of data relating to health. This was "sensitive personal data" and therefore could not be processed/put on the web pages at all without the relevant individual's prior express consent.

On the third issue, namely referring personal data to third countries, the prosecuting authority had argued that even though Mrs Lindqvist herself did not transfer data out of Sweden to another state beyond the European Economic Area (the EU plus Iceland, Liechtenstein and Iceland) Union the fact that residents of states outside the Union could access the data amounted to a transfer.

The ECJ quashed this argument comprehensively. Just because data maintained by an EU resident on the web is accessible by individuals outside the European Union who were connected to the internet did not mean a transfer of data out of the European Union. Where such transfers did take place, there were tight restrictions on the activity if the transferee country did not have adequate data protection laws. However no such transfer was happening here and so there was no offence committed on this count.

Why this matters:

This decision emphasises the wide reaching and indiscriminate nature of the European Union's data protection laws. It is a little sad that the case should arise out of such an apparently harmless and well meaning personal endeavour, but it nevertheless serves as a timely reminder to all those who are processing personal data of the need to ensure compliance with Europe's restrictive laws in this regard.